Vikunja Affected by DoS via Image Preview Generation

Vulnerability

Overview

CVE-2026-33474 is a denial-of-service (DoS vulnerability in Vikunja, an open-source self-hosted task management platform. The issue exists in versions 1.0.0-rc0 through 2.1.x. The root cause is unbounded image decoding and resizing during preview generation: the code does not enforce limits on image dimensions or pixel count before decoding, allowing an attacker to upload a highly compressed but extremely large-dimension image (e.g., a 10,000×10,000 PNG of ~284 KB) that expands to ~100 million pixels in memory during decoding and triggers heavy CPU work during resizing [1][3].

Exploitation

An authenticated user with write access to a task can exploit this by uploading a maliciously crafted image attachments. The preview generation endpoint (GetTaskAttachment) decodes the full image via image.Decode and resizes it to a target width without any guards on width, height, or total pixels. The first preview generation per attachment performs the heavy work; subsequent requests are served from cache, but multiple attachments or concurrent requests can degrade or crash the service [3]. The attack requires only that task attachments are enabled (task_attachments_enabled=true) and that the API is accessible [3].

Impact

Successful exploitation leads to excessive CPU and memory consumption, potentially causing service degradation or complete denial of service for other users. The CVSS v3.1 score is 7.5 (High) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating a network-exploitable, low-complexity attack requiring authentication but no user interaction, with high availability impact [3].

Mitigation

The vulnerability is patched in Vikunja version 2.2.0, which rejects images exceeding 50 million pixels before decoding [2][3]. Users are strongly encouraged to update to this version. No workarounds are documented; disabling task attachments may prevent exploitation but reduces functionality.